Analysis of Rentable NFT proposal EIP-4907

GoPlus Security
2 min readJun 29, 2022

Go+ researcher Ben has given a brief illustration of EIP-4907 from the security perspective.

Rentable NFT proposal EIP-4907 has been finalized. We’re going to see more and more projects using the ERC4907 NFT protocol. Let’s have a look at the official demo.

Image from @DoubleProtocol, the 4907 proposer.

1) As an NFT, 4907 inherits from other NFT protocols, like ERC721, sharing all features with 721 while expanding its own functionalities. The most typical one is that 4907 has two characters: User and Owner. There’s also an expiry associated with the User.

2) If you are the Owner or approved account of some NFT, and want to authorise anyone to use the NFT, just call setUser() with the User address and expiry time. An UpdateUser() event will be emitted subsequently.

3) Anyone can call userOf() function to find out who’s the User of one NFT, and userExpires() to check its expiry.

4) _beforeTokenTransfer() in the superclass 721 has been overridden, which will be called when performing an ownership transfer. It will first call its super function and then remove the usage right of the current User, if it’s not a self-transfer, and emit a UpdateUser() log.

Summary: It realizes the separation of NFT ownership and use rights by dual roles; and auto-revoke of the use rights upon expiration. ERC-4907 will greatly reduce the costs of utility NFT leases such as games, metaverses, and membership cards, making NFT assets more liquid.



GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.